If you want to log your Cisco SMB SG250 switches into your Wazuh SIEM solution, you’ll need to write an own decoder since the format of these devices is unknown.
Go to /var/ossec/etc/decoders and open file local_decoder.xml and add a new decoder:
<decoder name=“cisco-SG250″>
<prematch>^%\.+:</prematch>
<regex>^%(\.+):\s+(\.*)</regex>
<order>action,message</order>
</decoder>
Now every syslog from your switches will find their way into wazuh index. If you want to fire a warning for e.g. root login, just write a rule in /var/ossec/etc/rules in file local_rules.xml:
<group name=“local,syslog,sshd,“>
<rule id=“100002″ level=“5″>
<field name=“message“>\.* root over ssh \.*</field>
<description>Root user login via SSH detected</description>
</rule>
</group>
Restart your instance via /var/ossec/bin/ossec-control restart and you are good.